Highlighted
Contributor
Contributor

VMs can ping DLR, however not through DLR (ie ESG, or External World). OSPF table on ESG is correct and ESG can ping inside DLR interfaces.

VMs can ping DLR interfaces (all of them)  Inside and outside.

VMs can NOT ping through DLR to ESG

ESG can ping DLR interfaces (all of them)  Outside and inside (VM Default gateway)

But ESG can NOT ping through DLR to VMs (but can ping a VM default gateway).

What would cause DLR not to pass VM traffic through itself to outside world? 

Currently all FWs are off on DLR, ESG, and ANY/ANY on DFW.

OSPF Neighbors are correct and Default routes working on DLR and ESG.

Even with SSH enabled, DLR wont let me putty to it, even from same subnet.

0 Kudos
6 Replies
Highlighted
Contributor
Contributor

FYI, both DLR and ESG can ping 8.8.8.8.  Only VMs cannot get out.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Hi mikalsan

Did you enable route redistribution for "connected" networks to the OSPF routing table on the DLR ?

Please consider marking this answer "correct" or "helpful" if you think your question have been answered correctly. Cheers, @vExpertConsult www.vexpertconsultancy.com VCIX-DCV 2018 | VCIX-NV 2019 | VCAP7-CMA Design | vSAN Specialist | vExpert ** | vExpert NSX | vExpert vSAN
0 Kudos
Highlighted
Enthusiast
Enthusiast

Hi mikalsan,

The DLR appliance can be a little weird when it comes to communicating to/from it directly. The interface IPs assigned to logical switch interfaces don't actually exist on the control VM. They are 'LIFs' or 'logical interfaces' that exist on every ESXi host in the transport zone. If you configure dynamic routing on the DLR, you'll define a 'protocol address' as part of the process. That address should actually exist on the control VM, and can be used for ping tests, as well as to SSH into the VM etc.

Hope this helps.

Regards,

Mike

My blog: https://vswitchzero.com Follow me on Twitter: @vswitchzero
0 Kudos
Highlighted
Contributor
Contributor

Thank you for the verification on that.  I am able to ssh to the control VM or protocol address of the DLR.  Routing is correct on the DLR control VM and can get to 8.8.8.8 outside the environment.  Still do not understand by VMs cannot communicate past the LIF.

0 Kudos
Highlighted
Contributor
Contributor

Yes.  DLR is configured to redistribute connected.  As stated above, routing table on ESGs are correct.

DLR control VM also has an OSPF redistributed static from each of the upstream ESGs.

Thank you for the reply.

0 Kudos
Highlighted
Contributor
Contributor

They can't ping their gateway, nor can they ping VMs on other hosts. Again, this is pretty high level, but above you'll notice that we are not using local egress bluestacks.

0 Kudos